search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.48k stars 2.99k forks source link

rabin2 crash on invalid tag value in dump_r_bin_dwarf_debug_abbrev #1429

Closed ekse closed 10 years ago

ekse commented 10 years ago

Hi,

I did a bit of fuzzing on rabin2 with melkor, rabin2 will crash if it tries to print an invalid tag value in dwarf header.

Test executable https://github.com/ekse/code/raw/master/sec/radare2-fuzzing/rabin2-crash-0705.elf

Test build : commit 2b0009b858bac997cef9510993e888f3a048438d

How to reproduce the crash:

$ rabin2 -d  rabin2-crash-0705.elf 
Segmentation fault (core dumped)

Crash location :

0x00007ffff764a831 in dump_r_bin_dwarf_debug_abbrev (f=0x7ffff6fbe400 <_IO_2_1_stdout_>, da=0x6c2a80) at dwarf.c:900
900         fprintf(f, "Tag %s ", dwarf_tag_name_encodings[da->decls[i].tag]);

gdb-peda$ print da->decls[i].tag
$1 = 0xfffdbddc

0xfffdbddc is an invalid offset in dwarf_tag_name_encodings which causes the crash.

Backtrace

#0  0x00007ffff764a831 in dump_r_bin_dwarf_debug_abbrev (f=0x7ffff6fbe400 <_IO_2_1_stdout_>, da=0x6c2a80) at dwarf.c:900
#1  0x00007ffff764c187 in r_bin_dwarf_parse_abbrev_raw (obuf=0x6c28c0 "x\334\373\366\377\177", len=0x1ad, mode=0x0) at dwarf.c:1404
#2  0x00007ffff764c63a in r_bin_dwarf_parse_abbrev (a=0x64f5d0, mode=0x0) at dwarf.c:1503
#3  0x00007ffff7b81d49 in bin_dwarf (core=0x7ffffff9caa0, mode=0x0) at bin.c:384
#4  0x00007ffff7b85d63 in r_core_bin_info (core=0x7ffffff9caa0, action=0x800, mode=0x0, va=0x1, filter=0x7ffffff9ca90, loadaddr=0x0, 
    chksum=0x0) at bin.c:1263
#5  0x00000000004041f9 in main (argc=0x3, argv=0x7fffffffdf48) at rabin2.c:652
#6  0x00007ffff6c1fec5 in __libc_start_main (main=0x40258a <main>, argc=0x3, argv=0x7fffffffdf48, init=<optimized out>,
        fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf38) at libc-start.c:287
#7  0x00000000004018d9 in _start ()

I didn't submit a patch as I am not familiar with the project, I don't know you prefer to fix issue, either by ensuring that the RBinDwarfAbbrevDecl struct is not assigned an invalid tag value or to check in dump_r_bin_dwarf_debug_abbrev that the value is valid (I think option #1 would be better).

ekse commented 10 years ago

The value is being assigned in r_bin_dwarf_parse_abbrev_raw, it does not seem to be checked against valid tag values.

1378         r_bin_dwarf_init_abbrev_decl(tmpdecl);
1379 
1380         tmpdecl->code = tmp;
1381         buf = r_uleb128(buf, &tmp);
1382         tmpdecl->tag = tmp;
radare commented 10 years ago

fixed. thanks On 26 Sep 2014, at 03:26, ekse notifications@github.com wrote:

The value is being assigned in r_bin_dwarf_parse_abbrev_raw, it does not seem to be checked against valid tag values.

1378 r_bin_dwarf_init_abbrev_decl(tmpdecl); 1379 1380 tmpdecl->code = tmp; 1381 buf = r_uleb128(buf, &tmp); 1382 tmpdecl->tag = tmp; — Reply to this email directly or view it on GitHub.